Module org.elasticsearch.security
Class DeprecationRoleDescriptorConsumer
java.lang.Object
org.elasticsearch.xpack.security.authz.store.DeprecationRoleDescriptorConsumer
- All Implemented Interfaces:
Consumer<Collection<RoleDescriptor>>
public final class DeprecationRoleDescriptorConsumer
extends Object
implements Consumer<Collection<RoleDescriptor>>
Inspects all aliases that have greater privileges than the indices that they point to and logs the role descriptor, granting privileges
in this manner, as deprecated and requiring changes. This is done in preparation for the removal of the ability to define privileges over
aliases. The log messages are generated asynchronously and do not generate deprecation response headers. One log entry is generated for
each role descriptor and alias pair, and it contains all the indices for which privileges are a subset of those of the alias. In this
case, the administrator has to adjust the index privileges definition of the respective role such that name patterns do not cover aliases
(or rename aliases). If no logging is generated then the roles used for the current indices and aliases are not vulnerable to the
subsequent breaking change. However, there could be role descriptors that are not used (not mapped to a user that is currently using the
system) which are invisible to this check. Moreover, role descriptors can be dynamically added by role providers. In addition, role
descriptors are merged when building the effective role, so a role-alias pair reported as deprecated might not actually have an impact if
other role descriptors cover its indices. The check iterates over all indices and aliases for each role descriptor so it is quite
expensive computationally. For this reason the check is done only once a day for each role. If the role definitions stay the same, the
deprecations can change from one day to another only if aliases or indices are added.
-
Constructor Summary
ConstructorsConstructorDescriptionDeprecationRoleDescriptorConsumer(ClusterService clusterService, ThreadPool threadPool) -
Method Summary
Modifier and TypeMethodDescriptionvoidaccept(Collection<RoleDescriptor> effectiveRoleDescriptors)
-
Constructor Details
-
DeprecationRoleDescriptorConsumer
-
-
Method Details
-
accept
- Specified by:
acceptin interfaceConsumer<Collection<RoleDescriptor>>
-